Hi there,  I am trying to enable drilldown on a dashboard view to use a custom search(see below search string snippet). Although the search with the aforementioned string works fine on its own but its complaining when I use it within the drilldown custom search saying "Unbalanced quotes". Any idea why ? Thanks.      

I have two slightly different forms of a tab delimited log.  Both are in the same index and have the same source type.  One has a leading number, and the other does not.   How can I extract a single field name that looks at column 10 if there is a leading number and column 9 if not.    Log with a leading number 1650556427.891  98.53.183.43  0.001  200  1560  GET  https ... DEN50-C1 PVnGZrUUkw0RcRcqs4 ... Log without a leading number 98.53.183.43  0.001  200  1560  GET  https ...  LAX50-C4 ht6GZrUdg5tRcRcq34 ... I can't just look for field 10 because it will only work in one type of log and return the wrong information in the other.     I made a RegEx query that picked the field position based of whether there was a leading number or not.  The problem is that this does not work because the two subpattern names are the same.    Splunk Error:  Regex: two named subpatterns have the same name (PCRE2_DUPNAMES not set). (?(?=^\d+\.\d+\s)^(?:[^\t\n]*\t){10}(?P<fieldName>[^\t]+)|^(?:[^\t\n]*\t){9}(?P<fieldName>[^\t]+)) If I change the 2nd field name it saves, but only the first name is shown as a fieldName and the entry without a leading number is not included in the fieldName. Is there a RegEx that can do this, or some another way without changing the log?  I think if I was able to split the two log types into different source types I could do it easily.  I don't think I can do that though.  The logs come from AWS cloud servers.  The same with removing the leading number.  Thanks for your help.        

I've recently onboarded data from Gsuite to Splunk. I'm currently trying to create a few queries, but I'm having problem creating queries do to the JSON format.  I'm currently just trying to create a table with owner name, file name, time, etc. I've tried using the spath command and json formatting, but I can't seem to get the data in a table. Here's an example query        index="gsuite" sourcetype="gws:reports:drive" | spath events{}.parameters{}.value.doc_title       but the field isn't created.  Here's the data in the events{}.parameters{}.value field   Here's a sample of the data.       { "actor": { "profileId": "Sample Text" }, "etag": "\"Sample Text\"", "events": [{ "name": "sheets_import_range", "parameters": [{ "boolValue": true, "name": "primary_event" }, { "name": "billable" }, { "name": "recipient_doc", "value": "123456789" }, { "name": "doc_id", "value": "123456789" }, { "name": "doc_type", "value": "spreadsheet" }, { "name": "is_encrypted" }, { "name": "doc_title", "value": "sampletext.xls" }, { "name": "visibility", "value": "shared_externally" }, { "name": "actor_is_collaborator_account" }, { "name": "owner", "value": "johndoe@gmail.com" }, { "name": "owner_is_shared_drive" }, { "name": "owner_is_team_drive" }], "type": "access" }], "id": { "applicationName": "drive", "customerId": "123456789", "time": "2022-05-06T20:55:00.285Z", "uniqueQualifier": "-123456789" }, "kind": "admin#reports#activity" }       I would like the data to look like this      owner doc_title doc_type visibility johndoe@gmail.com. sampletext.xls spreadsheet shared_externally      

I am trying to create a Splunk Alert which -- well, the details will take too long to explain The issue is that I'm generating a stats list where some of the results have a single value while others have multiple, e.g. PrimaryField SecondaryField resultToKeep result1 result2 resultToToss result1   How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?

I have requirement  after  submit I need to hide and show row's panel on the condition of dropdown. when day is selected then show panel 1 and when hour is selected then show panel 2. I have queries in panel so that I don't want execute it also by adding the token condition.    <fieldset submitButton="true" autoRun="false">               <input type="dropdown" token="timespan">                       <label>Time Span</label>                      <choice value="1h">Hour</choice>                       <choice value="1d">Day</choice>                       <initialValue>1d</initialValue>                      <default>1d</default>               </input> </fieldset> <row depends=???> ----- --panel 1 <row depends=???> --------panel 2   How to set and unset token after submit and what should be depends condition in row/panel?

Hi everyone, Would anyone know a way to make it possible for my Y-Axis highest value to change depending on the $click.value2$. For context below are some screenshots of the dashboard that I am working on for my team. What it aims to do are the following: Display three (3) different reports by setting the following: Select a report to view via "Select to View" then click "Submit"  The default date would be used in the "From MM/DD/YYYY" and "To MM/DD/YYYY" text input. User will have to edit the date in them to adjust the time period. Proceed to the panel on the left where they must click one of the values($click.value2$) which will then generate the Area Chart on the right panel. My current dilemma is that each specific report has its own "Max Y-Axis Value". Is there a way for me to set that without using "Chart Overlay" so that it would be easier for our business unit to understand it. Preferably using XML or any default Splunk features (version 8.1.3). Thank you.

I'm working with some syslog data that is being pulled in from a gzip file.  The data looks like this     Apr 28 23:59:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:59:01 hostname systemd: Started Session 9904 of user pdw. Apr 28 23:59:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Started Session 9903 of user pdw. Apr 28 23:58:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Started Session 9902 of user pdw. Apr 28 23:57:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:56:01 hostname systemd: Removed slice User Slice of pdw.      The issue is instead of seeing April 28 in _time, what I'm seeing is what appears to be timestamp of the file source="/var/log/messages-20220501.gz".  The 2,974,360 events in the gzip run from Aug 1 to May 3.  Does Splunk not get the date from each event in the gzip or did Splunk run up against a limitation and not process due to the number of events?

Hello! I am looking for your help. I have 2 indexer nodes in a splunk indexer cluster with rf=2 and sf=2 and we want to add 2 more nodes to this site, I only have one virtual site. I need your help because I want to update the rf to 3. So by adding a new node and updating the rf, the historical data from the 2 oldest nodes will be replicated to the new nodes to meet the replication factor?

Hello @chrisyounger, Love your components.  I'm trying to use the Dendrogram drilldown to "Manage tokens on this dashboard" but it doesn't seem to work. Looking in the browser console I can see the tokens being set but my form values don't get set. Any ideas?     <viz type="dendrogram_viz.dendrogram_viz"> <title>title</title> <search> <query>~Query Here~</query> <earliest>0</earliest> <latest></latest> </search> <option name="dendrogram_viz.dendrogram_viz.color1">#171d21</option> <option name="dendrogram_viz.dendrogram_viz.color2">#ffffff</option> <option name="dendrogram_viz.dendrogram_viz.delimiter">-&gt;</option> <option name="dendrogram_viz.dendrogram_viz.html">no</option> <option name="dendrogram_viz.dendrogram_viz.label_size">100</option> <option name="dendrogram_viz.dendrogram_viz.layout">vertical</option> <option name="dendrogram_viz.dendrogram_viz.linkcolor">#555555</option> <option name="dendrogram_viz.dendrogram_viz.max_rows">1000</option> <option name="dendrogram_viz.dendrogram_viz.node_ancestor_spacing">400</option> <option name="dendrogram_viz.dendrogram_viz.node_sibling_spacing">400</option> <option name="dendrogram_viz.dendrogram_viz.node_size">80</option> <option name="dendrogram_viz.dendrogram_viz.nodecolor">#999999</option> <option name="dendrogram_viz.dendrogram_viz.radius">500</option> <option name="dendrogram_viz.dendrogram_viz.tidy">yes</option> <option name="dendrogram_viz.dendrogram_viz.zoom">yes</option> <option name="drilldown">all</option> <option name="height">1000</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.parentageSpan">$dendrogram_viz_id$</set> </drilldown> </viz>      

Hi all, I'm not a English native speaker, but I will do my best to explain ther question. To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard. So I need done this in a single search, I guess.   I did some previous search, and get a result table like this below table: Test_Project Test_Site Failed_Test_Items Test_Admin_Email Notebook_XX A Item_1 Item_5 Item_7 dog@mail.com, cat@mail.com, bird@mail.com  Mobile_DD A Item_1 Item_2 dog@mail.com Notebook_XX B Item_3 cat@mail.com Mobile_DD B Item_6 Item_7 bird@mail.com, cat@mail.com  Faild_Test_Items is a multi-value  column. Test_Admin_Email is a single-string column. Anyway, I need send email about the testing result row by row. For example, send this to 3 different email address:  dog@mail.com, cat@mail.com, bird@mail.com Test_Project Test_Site Failed_Test_Items Notebook_XX A Item_1 Item_5 Item_7   And send this to two email address: bird@mail.com, cat@mail.com  Test_Project Test_Site Failed_Test_Items Mobile_DD B Item_6 Item_7 Every row will represent different email. So in this case, I will send 4 emails. And it need to be done by Report, because I need schedule it. Please help me in a simple way, maybe use some simple examples. I am still a Splunk noob.

Hi, I have a table like this: id       value 1            12 2             10 I want to do this calculation by splunk: (10/12)*100% (means value  of second id / value of the first id)*100% How do I do, please?

Retrieving SAM data from the event server via RETS API, I get records like this: <metricId>11326213</metricId>\n <metricName>Hardware Resources|Service Availability|59|Success Rate (%)</metricName>\n <metricPath>Application Infrastructure Performance|Root|Individual Nodes|usl00001292.us.hsbc|Hardware Resources|Service Availability|59|Success Rate (%)</metricPath>\n <frequency>SIXTY_MIN</frequency>\n <metricValues>\n <metric-value>\n <startTimeInMillis>1651823040000</startTimeInMillis>\n <occurrences>60</occurrences>\n <current>0</current>\n <min>0</min>\n <max>100</max>\n <useRange>true</useRange>\n <count>24</count>\n <sum>2400</sum>\n <value>100</value>\n <standardDeviation>0</standardDeviation>\n </metric-value>\n </metricValues>\n </metric-data>\n <metric-data>\n As you can see, the service monitored is identified by a number, here 59. Same thing in the metrics browser. This attribute is called the config ID. However, I cannot see how to map the number (59 in the above example) to the (service name, URL target, machine agent server) identifier. I cannot find the (service name, URL target, machine agent server) triplet identifier of the SAM monitor anywhere in the metrics tree. Any clue? Thanks in advance regards Philippe

hi usually i use the dashboard in full screen mode (Firefox). how can i remove the first two rows (splunk>enterprise...(in black) and Search Analytics....(in green))? want this because i don't have a lot of space in the screen